The Oregon Construction Contractors Board (CCB) has discovered a security breach involving 8,013 online contractor accounts. Unauthorized individuals gained access to some contractors’ usernames and related password information. The incident occurred between October 27, 2018 and October 29, 2018, and was discovered on April 12, 2019, during a routine audit conducted by the Enterprise Security Office of the agency’s information technology databases. Unfortunately, personally identifying information in 466 of these accounts was accessible, and the CCB determined this constitutes a data breach for that subset of accounts. Upon detection of the issue, the CCB took immediate steps to determine the scope of the problem and then to remediate the problem. This work included closing the pathways used by the unauthorized individuals to gain access to the contractor accounts. The CCB is also enhancing its password protection security and is requesting that each affected account holder reset his or her password. The compromised information included the email, name, address, and password hash (the code that protects the password) of the affected individuals. Of those compromised accounts, 466 also included an ID number such as state ID or driver license. At this time, there is no evidence that the information has been misused. In addition to asking that all affected account holders reset their passwords, the CCB is sending letters to all affected account holders. These letters advise account holders that CCB is offering identity theft protection and fully managed ID theft recovery services to each of them for one year. Information on how to access these free services is included in the letters being mailed. The Construction Contractors Board is committed to protecting the privacy and security of its licensees, and its systems are frequently reviewed and audited.
